e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37

Analysis

max time kernel
152s
max time network
154s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
Size

348KB
MD5

d0d3086cd72eb31385bf6406042cc404
SHA1

11f9bb5c17fe32b48d44575a29e94dd082d38483
SHA256

e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37
SHA512

153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e

Score

10^/10

evasion persistence ransomware spyware stealer suricata

Malware Config

Extracted

Path

C:\$Recycle.Bin\S-1-5-21-3686645723-710336880-414668232-1000\how_recover+lhf.txt

Ransom Note

111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 NOT YOUR LANGUAGE? USE https://translate.google.com What happened to your files ? All of your files were protected by a strong encryption with RSA-4096. More information about the encryption keys using RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) What does this mean ? This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 How did this happen ? ---Specially for your PC was generated personal RSA-4096 KEY, both public and private. ---ALL YOUR FILES were encrypted with the public key, which has been transferred to your computer via the Internet. 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111 Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server. What do I do ? So, there are two ways you can choose: wait for a miracle and get your price doubled, or start obtaining BTC NOW, and restore your data easy way. If You have really valuable data, you better not waste your time, because there is no other way to get your files, except make a payment. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1. http://vr6g2curb2kcidou.encpayment23.com/8DB09D80909DABC 2. http://vr6g2curb2kcidou.expay34.com/8DB09D80909DABC 3. http://psbc532jm8c.hsh73cu37n1.net/8DB09D80909DABC 4. https://vr6g2curb2kcidou.onion.to/8DB09D80909DABC If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: vr6g2curb2kcidou.onion/8DB09D80909DABC 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your personal pages: http://vr6g2curb2kcidou.encpayment23.com/8DB09D80909DABC http://vr6g2curb2kcidou.expay34.com/8DB09D80909DABC http://psbc532jm8c.hsh73cu37n1.net/8DB09D80909DABC https://vr6g2curb2kcidou.onion.to/8DB09D80909DABC Your personal page (using TOR-Browser): vr6g2curb2kcidou.onion/8DB09D80909DABC Your personal identification number (if you open the site (or TOR-Browser's) directly): 8DB09D80909DABC 111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

URLs

http://vr6g2curb2kcidou.encpayment23.com/8DB09D80909DABC

http://vr6g2curb2kcidou.expay34.com/8DB09D80909DABC

http://psbc532jm8c.hsh73cu37n1.net/8DB09D80909DABC

https://vr6g2curb2kcidou.onion.to/8DB09D80909DABC

http://vr6g2curb2kcidou.onion/8DB09D80909DABC

Extracted

Path

C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html

Ransom Note

NOT YOUR LANGUAGE? USE Google Translate What happened to your files? protected by a strong encryption with RSA-4096 More information about the encryption RSA-4096 can be found here: http://en.wikipedia.org/wiki/RSA_(cryptosystem) does this mean? means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of YOUR FILES is only possible with the help of the private key and decrypt program, which is on our Secret Server!!! * do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really need your data, then we suggest you do not waste valuable time searching for other solutions becausen they do not exist. For more specific instructions, please visit your personal home page, there are a few different addresses pointing to your page below: 1.http://vr6g2curb2kcidou.encpayment23.com/8DB09D80909DABC 2.http://vr6g2curb2kcidou.expay34.com/8DB09D80909DABC 3.http://psbc532jm8c.hsh73cu37n1.net/8DB09D80909DABC 4.https://vr6g2curb2kcidou.onion.to/8DB09D80909DABC If for some reasons the addresses are not available, follow these steps: 1. Download and install tor-browser: http://www.torproject.org/projects/torbrowser.html.en 2. After a successful installation, run the browser and wait for initialization. 3. Type in the tor-browser address bar: vr6g2curb2kcidou.onion/8DB09D80909DABC 4. Follow the instructions on the site. IMPORTANT INFORMATION: Your Personal PAGES: http://vr6g2curb2kcidou.encpayment23.com/8DB09D80909DABC http://vr6g2curb2kcidou.expay34.com/8DB09D80909DABC http://psbc532jm8c.hsh73cu37n1.net/8DB09D80909DABC https://vr6g2curb2kcidou.onion.to/8DB09D80909DABC Your Personal PAGES (using TOR-Browser): vr6g2curb2kcidou.onion/8DB09D80909DABC Your personal code (if you open the site (or TOR-Browser's) directly):

URLs

http://vr6g2curb2kcidou.onion/8DB09D80909DABC

http://vr6g2curb2kcidou.encpayment23.com/8DB09D80909DABC

http://vr6g2curb2kcidou.expay34.com/8DB09D80909DABC

http://psbc532jm8c.hsh73cu37n1.net/8DB09D80909DABC

https://vr6g2curb2kcidou.onion.to/8DB09D80909DABC

Signatures

suricata: ET MALWARE AlphaCrypt CnC Beacon 5
suricata
suricata: ET MALWARE AlphaCrypt CnC Beacon 6
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 5 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2424 bcdedit.exe
2232 bcdedit.exe
1852 bcdedit.exe
1308 bcdedit.exe
3436 bcdedit.exe
Executes dropped EXE 2 IoCs

Processes:

mxeqtacroic.exemxeqtacroic.exe

pid process

3628 mxeqtacroic.exe
412 mxeqtacroic.exe

pid	process
2424	bcdedit.exe
2232	bcdedit.exe
1852	bcdedit.exe
1308	bcdedit.exe
3436	bcdedit.exe

pid	process
3628	mxeqtacroic.exe
412	mxeqtacroic.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

mxeqtacroic.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MeasureWait.raw => C:\Users\Admin\Pictures\MeasureWait.raw.vvv	mxeqtacroic.exe
File renamed	C:\Users\Admin\Pictures\MoveUnregister.png => C:\Users\Admin\Pictures\MoveUnregister.png.vvv	mxeqtacroic.exe
File renamed	C:\Users\Admin\Pictures\PushRequest.png => C:\Users\Admin\Pictures\PushRequest.png.vvv	mxeqtacroic.exe
File renamed	C:\Users\Admin\Pictures\SkipConfirm.png => C:\Users\Admin\Pictures\SkipConfirm.png.vvv	mxeqtacroic.exe
File renamed	C:\Users\Admin\Pictures\DebugUpdate.png => C:\Users\Admin\Pictures\DebugUpdate.png.vvv	mxeqtacroic.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mxeqtacroic.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	mxeqtacroic.exe

Drops startup file 4 IoCs

Processes:

mxeqtacroic.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\how_recover+lhf.html	mxeqtacroic.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

mxeqtacroic.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run	mxeqtacroic.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Windows\CurrentVersion\Run\Acrndtd = "C:\\Users\\Admin\\AppData\\Roaming\\mxeqtacroic.exe"	mxeqtacroic.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 myexternalip.com
16 myexternalip.com

flow	ioc
14	myexternalip.com
16	myexternalip.com

Suspicious use of SetThreadContext 2 IoCs

Processes:

e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exemxeqtacroic.exe

description	pid	process	target process
PID 2256 set thread context of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 3628 set thread context of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe

Drops file in Program Files directory 64 IoCs

Processes:

mxeqtacroic.exe

description	ioc	process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-64_altform-unplated.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Images\Ratings\Yelp3.scale-125.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-24_contrast-white.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_winxp_blu.css	mxeqtacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-white_scale-100.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ax_60x42.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\images\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VC\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent@2x.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Tournament\ProgressBarFilled.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\LargeTile.scale-100_contrast-white.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-256_contrast-black.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-30_contrast-white.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockWideTile.contrast-black_scale-125.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Beach\beach_12d.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.targetsize-20.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1702.312.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-48_altform-unplated_contrast-white.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeBadge.scale-400.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\LargeTile.scale-125.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Home\WideTile.scale-200.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreAppList.scale-100.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_~_8wekyb3d8bbwe\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable@2x.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_25.25.13009.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubWideTile.scale-125_contrast-high.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\2708_20x20x32.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxCalendarLargeTile.scale-125.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Awards\challenge\Become_a_Star_.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Buttons\TryAgain\TryAgain-press.mobile.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\ExchangeSmallTile.scale-125.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\en-GB.pak	mxeqtacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\SmallTile.scale-125.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\AppCore\Location\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\ch_60x42.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\6528_32x32x32.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\kh_60x42.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Arkadium.Win10.Xaml.Toolkit\Assets\XboxControl\Xbox-up.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\Sticker_Icon_TeethSmile.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.scale-200.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteAppList.targetsize-72_altform-unplated.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\how_recover+lhf.html	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\how_recover+lhf.txt	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\HowToPlay\TriPeaks\Goal_1.jpg	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.scale-200.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Classic\classic_1s.png	mxeqtacroic.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-black\how_recover+lhf.html	mxeqtacroic.exe

Drops file in Windows directory 1 IoCs

Processes:

MicrosoftEdge.exe

description ioc process

File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

4124 vssadmin.exe
3768 vssadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

pid	process
4124	vssadmin.exe
3768	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\EnableNegotiate = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Roaming\ChangeUnitGenerationNeeded = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164C = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "xd8dyzq"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABEE	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = c75511ee2582d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. = 0100000072bdf5546caeed7f4487f9ad4ff8aad4d2b107d54061cea101bf5310c761e74a7b45b1ba5736f5b6dc8fb4a016ffe6c3313cad07dde1fa0dbbddbbb70a258aa8f69a6f5f3f57685602cdd0b9aa2b7bc9decbef4f7ea1c7afa3a5	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 392ba8002682d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = c038f6525882d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionIn = "5"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DontShowMeThisDialogAgain	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 70f38d002682d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3616 NOTEPAD.EXE

pid	process
3616	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

mxeqtacroic.exe

pid	process
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe
412	mxeqtacroic.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4184 MicrosoftEdgeCP.exe

pid	process
4184	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exemxeqtacroic.exevssvc.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	3484	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
Token: SeDebugPrivilege	412	mxeqtacroic.exe
Token: SeBackupPrivilege	2012	vssvc.exe
Token: SeRestorePrivilege	2012	vssvc.exe
Token: SeAuditPrivilege	2012	vssvc.exe
Token: SeDebugPrivilege	1908	MicrosoftEdge.exe
Token: SeDebugPrivilege	1908	MicrosoftEdge.exe
Token: SeDebugPrivilege	1908	MicrosoftEdge.exe
Token: SeDebugPrivilege	1908	MicrosoftEdge.exe
Token: SeDebugPrivilege	4272	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4272	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4272	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4272	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4536	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4536	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

1908 MicrosoftEdge.exe
4184 MicrosoftEdgeCP.exe
4184 MicrosoftEdgeCP.exe

pid	process
1908	MicrosoftEdge.exe
4184	MicrosoftEdgeCP.exe
4184	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exee272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exemxeqtacroic.exemxeqtacroic.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 2256 wrote to memory of 3484	2256	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
PID 3484 wrote to memory of 3628	3484	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	mxeqtacroic.exe
PID 3484 wrote to memory of 3628	3484	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	mxeqtacroic.exe
PID 3484 wrote to memory of 3628	3484	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	mxeqtacroic.exe
PID 3484 wrote to memory of 1956	3484	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	cmd.exe
PID 3484 wrote to memory of 1956	3484	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	cmd.exe
PID 3484 wrote to memory of 1956	3484	e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe	cmd.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 3628 wrote to memory of 412	3628	mxeqtacroic.exe	mxeqtacroic.exe
PID 412 wrote to memory of 2424	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 2424	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 3768	412	mxeqtacroic.exe	vssadmin.exe
PID 412 wrote to memory of 3768	412	mxeqtacroic.exe	vssadmin.exe
PID 412 wrote to memory of 2232	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 2232	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 1852	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 1852	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 1308	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 1308	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 3436	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 3436	412	mxeqtacroic.exe	bcdedit.exe
PID 412 wrote to memory of 3616	412	mxeqtacroic.exe	NOTEPAD.EXE
PID 412 wrote to memory of 3616	412	mxeqtacroic.exe	NOTEPAD.EXE
PID 412 wrote to memory of 3616	412	mxeqtacroic.exe	NOTEPAD.EXE
PID 412 wrote to memory of 4124	412	mxeqtacroic.exe	vssadmin.exe
PID 412 wrote to memory of 4124	412	mxeqtacroic.exe	vssadmin.exe
PID 4184 wrote to memory of 4272	4184	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4184 wrote to memory of 4272	4184	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4184 wrote to memory of 4272	4184	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4184 wrote to memory of 4272	4184	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4184 wrote to memory of 4272	4184	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4184 wrote to memory of 4272	4184	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 412 wrote to memory of 4448	412	mxeqtacroic.exe	cmd.exe
PID 412 wrote to memory of 4448	412	mxeqtacroic.exe	cmd.exe
PID 412 wrote to memory of 4448	412	mxeqtacroic.exe	cmd.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

mxeqtacroic.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	mxeqtacroic.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	mxeqtacroic.exe

C:\Users\Admin\AppData\Local\Temp\e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
"C:\Users\Admin\AppData\Local\Temp\e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2256

C:\Users\Admin\AppData\Local\Temp\e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe
"C:\Users\Admin\AppData\Local\Temp\e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37.sample.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Roaming\mxeqtacroic.exe
C:\Users\Admin\AppData\Roaming\mxeqtacroic.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628

C:\Users\Admin\AppData\Roaming\mxeqtacroic.exe
C:\Users\Admin\AppData\Roaming\mxeqtacroic.exe
4⤵
- Executes dropped EXE
- Modifies extensions of user files
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:412

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} bootems off
5⤵
- Modifies boot configuration data using bcdedit
PID:2424

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
5⤵
- Interacts with shadow copies
PID:3768

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} advancedoptions off
5⤵
- Modifies boot configuration data using bcdedit
PID:2232

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} optionsedit off
5⤵
- Modifies boot configuration data using bcdedit
PID:1852

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} bootstatuspolicy IgnoreAllFailures
5⤵
- Modifies boot configuration data using bcdedit
PID:1308

C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set {current} recoveryenabled off
5⤵
- Modifies boot configuration data using bcdedit
PID:3436

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
5⤵
- Opens file in notepad (likely ransom note)
PID:3616

C:\Windows\System32\vssadmin.exe
"C:\Windows\System32\vssadmin.exe" delete shadows /all /Quiet
5⤵
- Interacts with shadow copies
PID:4124

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Roaming\MXEQTA~1.EXE
5⤵
PID:4448

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c DEL C:\Users\Admin\AppData\Local\Temp\E272F3~1.EXE
3⤵
PID:1956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3752

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4536

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+lhf.html
MD5
bdedc3c9607ac3bfd8f8be7c646deae8

SHA1
169b3038c633c1875a9ab29e2cdb02225719bf0f

SHA256
9b8bad18e991e85ce1b08f2ea16da595969e19cc74f9ae3e14a93b1a89fa6d9c

SHA512
8547963b59acdad8f8b6cdb3186e225f13e905a082ac04fed9f42390dbe2db8c6aab3b60b3543281d176b3c620cf20b34514e76e121c22bd17a79d48ca67789f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs\how_recover+lhf.txt
MD5
5f10ddb4a89b98007dca0be0b9eaf81d

SHA1
44b25d3769c928ad93bdfd851e6e450298ac2652

SHA256
9a2248253201c56a35949a943dba4de9db11766c7daf7e9c482f377161f1a584

SHA512
e133e38c49cca594cecc987f01ea5dce2e2562df4a781ed03c736106e2d544ea0dc8c3f341e6506e37dfac6b90677148d82286dae34777512fdc22a37819b581

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+lhf.html
MD5
bdedc3c9607ac3bfd8f8be7c646deae8

SHA1
169b3038c633c1875a9ab29e2cdb02225719bf0f

SHA256
9b8bad18e991e85ce1b08f2ea16da595969e19cc74f9ae3e14a93b1a89fa6d9c

SHA512
8547963b59acdad8f8b6cdb3186e225f13e905a082ac04fed9f42390dbe2db8c6aab3b60b3543281d176b3c620cf20b34514e76e121c22bd17a79d48ca67789f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs\how_recover+lhf.txt
MD5
5f10ddb4a89b98007dca0be0b9eaf81d

SHA1
44b25d3769c928ad93bdfd851e6e450298ac2652

SHA256
9a2248253201c56a35949a943dba4de9db11766c7daf7e9c482f377161f1a584

SHA512
e133e38c49cca594cecc987f01ea5dce2e2562df4a781ed03c736106e2d544ea0dc8c3f341e6506e37dfac6b90677148d82286dae34777512fdc22a37819b581

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+lhf.html
MD5
bdedc3c9607ac3bfd8f8be7c646deae8

SHA1
169b3038c633c1875a9ab29e2cdb02225719bf0f

SHA256
9b8bad18e991e85ce1b08f2ea16da595969e19cc74f9ae3e14a93b1a89fa6d9c

SHA512
8547963b59acdad8f8b6cdb3186e225f13e905a082ac04fed9f42390dbe2db8c6aab3b60b3543281d176b3c620cf20b34514e76e121c22bd17a79d48ca67789f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\how_recover+lhf.txt
MD5
5f10ddb4a89b98007dca0be0b9eaf81d

SHA1
44b25d3769c928ad93bdfd851e6e450298ac2652

SHA256
9a2248253201c56a35949a943dba4de9db11766c7daf7e9c482f377161f1a584

SHA512
e133e38c49cca594cecc987f01ea5dce2e2562df4a781ed03c736106e2d544ea0dc8c3f341e6506e37dfac6b90677148d82286dae34777512fdc22a37819b581

Download Submit
C:\Users\Admin\AppData\Roaming\mxeqtacroic.exe
MD5
d0d3086cd72eb31385bf6406042cc404

SHA1
11f9bb5c17fe32b48d44575a29e94dd082d38483

SHA256
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37

SHA512
153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e

Download Submit
C:\Users\Admin\AppData\Roaming\mxeqtacroic.exe
MD5
d0d3086cd72eb31385bf6406042cc404

SHA1
11f9bb5c17fe32b48d44575a29e94dd082d38483

SHA256
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37

SHA512
153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e

Download Submit
C:\Users\Admin\AppData\Roaming\mxeqtacroic.exe
MD5
d0d3086cd72eb31385bf6406042cc404

SHA1
11f9bb5c17fe32b48d44575a29e94dd082d38483

SHA256
e272f32a45aa342b823aaf26687357f45f39d4f836d3529169340e4893c08c37

SHA512
153dce24258abfc3440208b100c26a847c2396fe7893844ba8d8e66659e4cd567d2ab8ac9d9d19e7cdc80b6dc89080b1966bf5f2d82ef76bfc814902beae071e

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.html
MD5
bdedc3c9607ac3bfd8f8be7c646deae8

SHA1
169b3038c633c1875a9ab29e2cdb02225719bf0f

SHA256
9b8bad18e991e85ce1b08f2ea16da595969e19cc74f9ae3e14a93b1a89fa6d9c

SHA512
8547963b59acdad8f8b6cdb3186e225f13e905a082ac04fed9f42390dbe2db8c6aab3b60b3543281d176b3c620cf20b34514e76e121c22bd17a79d48ca67789f

Download Submit
C:\Users\Admin\Desktop\Howto_RESTORE_FILES.txt
MD5
5f10ddb4a89b98007dca0be0b9eaf81d

SHA1
44b25d3769c928ad93bdfd851e6e450298ac2652

SHA256
9a2248253201c56a35949a943dba4de9db11766c7daf7e9c482f377161f1a584

SHA512
e133e38c49cca594cecc987f01ea5dce2e2562df4a781ed03c736106e2d544ea0dc8c3f341e6506e37dfac6b90677148d82286dae34777512fdc22a37819b581

Download Submit
memory/412-124-0x0000000000409350-mapping.dmp

Download
memory/412-126-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/1308-131-0x0000000000000000-mapping.dmp

Download
memory/1852-130-0x0000000000000000-mapping.dmp

Download
memory/1956-120-0x0000000000000000-mapping.dmp

Download
memory/2232-129-0x0000000000000000-mapping.dmp

Download
memory/2256-114-0x0000000000760000-0x00000000008AA000-memory.dmp

Filesize
1.3MB

Download
memory/2424-127-0x0000000000000000-mapping.dmp

Download
memory/3436-132-0x0000000000000000-mapping.dmp

Download
memory/3484-121-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3484-115-0x0000000000400000-0x0000000000485000-memory.dmp

Filesize
532KB

Download
memory/3484-116-0x0000000000409350-mapping.dmp

Download
memory/3616-133-0x0000000000000000-mapping.dmp

Download
memory/3628-122-0x0000000000760000-0x00000000008AA000-memory.dmp

Filesize
1.3MB

Download
memory/3628-117-0x0000000000000000-mapping.dmp

Download
memory/3768-128-0x0000000000000000-mapping.dmp

Download
memory/4124-136-0x0000000000000000-mapping.dmp

Download
memory/4448-138-0x0000000000000000-mapping.dmp

Download